首页|Identifying high-risk over-entitlement in access control policies using fuzzy logic

Identifying high-risk over-entitlement in access control policies using fuzzy logic

扫码查看
原文链接
  • NETL
  • NSTL
  • 万方数据
  • 维普
Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed.This is a time-consuming and knowledge-intensive process,largely because there is a wealth of policy information that needs to be manually examined.Furthermore,there is no standard definition of what constitutes an over-entitled permission within an organisation's access control policy,making it not possible to develop auto-mated rule-based approaches.It is often the case that over-entitled permissions are subjective to an organisation's role-based structure,where access is be divided and managed based on different employee needs.In this context,an irregular permission could be one where an employee has frequently changed roles,thus accumulating a wide-rang-ing set of permissions.There is no one size fits all approach to identifying permissions where an employee is receiving more permission than is necessary,and it is necessary to examine them in the context of the organisation to establish their individual risk.Risk is not a binary measure and,in this work,an approach is built using Fuzzy Logic to determine an overall risk rating,which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation.This requires the exploratory use of establishing resource sensitivity and user trust as measures to determine a risk rating.The paper presents a generic solution,which has been implemented to perform experimental analysis on Microsoft's New Technology File System to show how this works in practice.A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.

Fuzzy controlFuzzy systemsSecurityAccess control policiesSecurity analysisRiskFuzzy logicRisk-adaptive access control

Simon Parkinson、Saad Khana

展开 >

Department of Computer Science,University of Huddersfield,Huddersfield HD1 3DH,UK

This work was undertaken during a project funded by the UK's Digital Catapult Researcher in Residency Fellowship programme

Grant Ref:EP/M029263/1

2022

网络空间安全科学与技术(英文版)

网络空间安全科学与技术(英文版)

CSCDEI
ISSN:
年,卷(期):2022.5(2)
  • 56